Ever wonder what happens under the hood when you connect to a Windows share? There is one easy way to find out. Use a packet sniffer like Wireshark.
What is Wireshark?
Wireshark is an easy-to-install and easy-to-use packet capture tool that is supported on both Windows and Linux. On Windows, Wireshark uses the Windows Pcap module as its primary mechanism for capturing packets. Wireshark sits on top of Pcap to provide an easy-to-use interface and packet filter.
The easiest way to monitor packets between two machines is to simply install Wireshark on one of the two machines and then configure a filter to view traffic. In this example, we will monitor traffic between a Windows 10 client computer and a Windows 2012 server.
Create a file share
First, we’ll set up a share on a Windows 2012 machine. On a Windows 2012 machine, create a new folder and name it “Share.” Right click and select Properties. Go to the Sharing tab and select Share. Allow a user with administrative rights to access the share with read and write access. In this case, the administrator is already the owner of the shared folder.
Confirm that your share is listening with the net share command.
Client setting
Then, on a Windows 10 machine, we will connect to our newly created network share using the command line.
After confirming the connection to the share, it’s time to see what happens. Let’s install Wireshark on a Windows 10 computer. Wireshark is available for download from www.wireshark.org In this example, we will use Wireshark-win64-2.6.6.exe. Just click Next and select all the defaults in the setup wizard.
When launching Wireshark, the first step is always to launch the capture on the designated interface. From the Wireshark menu go to Capture | Parameters. Select the desired listening interface and start capturing. In this case, we only have one network adapter to choose from.
After listening, you will see all traffic on the interface.
Traffic Filter
In order to see only the traffic participating in the SMB exchange, we need to configure some filters. If you don’t know all the filtering commands, Wireshark has a user-friendly graphical interface that you can use to customize your filters. In the top bar next to the search bar, select Expression. The “Wireshark – Display Filter Expression” window opens.
In this window, navigate through the protocol to find the appropriate filter. In this case, the simplest introductory filter for narrowing our traffic is restricting traffic by IPv4 address.
We will go to the IPv4 address and set ip.addr == 192.168.31.201, which is the IP address of the SMB share. The same command can simply be entered directly into the search bar if you are a more experienced Wireshark user. Traffic is now only limited to traffic between our client and the Windows 2012 server.
Let’s see if we can get more information from this capture. Let’s delete the share first. On Windows 10, run Command Prompt as administrator and type net use \ 192.168.31.201 share delete. Below is an example of a TCP stream during deletion. This time, a little more information is provided in the open.
Then we will restart the entire connection from the beginning to make sure our credentials are protected. First, confirm that the session is not established by running netstat and filtering out any ESTABLISHED sessions. Then reconnect to the share with explicit credentials and then follow TCP flow.
Hooray! No passwords in clear text. However, I can see the username. It might be time to move to SMBv3.
This simple example demonstrates how to use Wireshark to monitor network connections. Wireshark can be used to listen for all network traffic to troubleshoot connectivity issues, or to determine if there is clear text in a packet exchange, which should be further protected. Wireshark is another tool that can be added to your security arsenal. Happy sniffing!